From 5e96ff013ef0dcd55eb5d08e3d7da19d0b230109 Mon Sep 17 00:00:00 2001
From: Jess Jang <jess.jang@canonical.com>
Date: Fri, 7 Jul 2023 10:50:17 -0500
Subject: [PATCH] fix: bind correct apparmor feature for validating snap seed

During Realtime kernel image build, there was an error during
validating snap seed which derivative images copied 5.19
apparmor feature and can't validate when Realtime kernel (5.15)
installed [0].

To prevent this, bind correct apparmor feature with kernel
version.

[0] https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2024639

(cherry picked from commit 6b54faa6be6286017eb2dc701534cf780ae462ce)
---
 live-build/functions | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/live-build/functions b/live-build/functions
index 8088cb28..7a97670c 100644
--- a/live-build/functions
+++ b/live-build/functions
@@ -756,12 +756,34 @@ snap_preseed() {
 snap_validate_seed() {
     local CHROOT_ROOT=$1
 
+    if [ -e ${CHROOT_ROOT}/boot/vmlinuz ]; then
+        local kern_major_min=$(readlink --canonicalize --no-newline ${CHROOT_ROOT}/boot/vmlinuz | grep  --extended-regexp --only-matching --max-count 1 '[0-9]+\.[0-9]+')
+        if [ -d /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} ]; then
+            # if an Ubuntu version has different kernel apparmor features between LTS and HWE kernels
+            # a snap pre-seeding issue can occur, where the incorrect apparmor features are reported
+            # basic copy of a directory structure overriding the "generic" feature set
+            # which is tied to the LTS kernel
+
+            # Bind kernel apparmor directory to feature directory for snap preseeding
+            umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+            mount --bind /usr/share/livecd-rootfs/live-build/apparmor/${kern_major_min} "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        fi
+    fi
+
     if [ -e "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml" ]; then
         snap debug validate-seed "${CHROOT_ROOT}/var/lib/snapd/seed/seed.yaml"
         /usr/lib/snapd/snap-preseed --reset $(realpath "${CHROOT_ROOT}")
         /usr/lib/snapd/snap-preseed $(realpath "${CHROOT_ROOT}")
         chroot "${CHROOT_ROOT}" apparmor_parser --skip-read-cache --write-cache --skip-kernel-load --verbose  -j `nproc` /etc/apparmor.d
     fi
+
+    # Unmount kernel specific apparmor feature
+    # mount generic apparmor feature again (cleanup)
+    if [ -d /build/config/hooks.d/extra/apparmor/${kern_major_min} ]; then
+        umount "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+        mount -o bind /usr/share/livecd-rootfs/live-build/apparmor/generic "${CHROOT_ROOT}/sys/kernel/security/apparmor/features/"
+    fi
+
 }
 
 list_packages_from_seed () {